Session Management Flaw in Keycloak
CVE-2025-12390

6MEDIUM

Key Information:

Vendor

Keycloak

Status
Keycloak
Red Hat Build Of Keycloak 26.2
Red Hat Build Of Keycloak 26.2.11
Red Hat Build Of Keycloak 26.4
Vendor
CVE Published:
28 October 2025

What is CVE-2025-12390?

Keycloak contains a session management issue where users sharing the same device and browser may inadvertently access each other's sessions. This occurs due to improper handling of session identifiers, leading to token reuse and potential unauthorized access. When users log out without fully clearing browser cookies, residual data can allow a subsequent user to receive tokens meant for the prior user, creating a significant security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

keycloak 0 < 26.0.0

Red Hat build of Keycloak 26.2 26.2.11-1

Red Hat build of Keycloak 26.2 26.2-12

References

https://access.redhat.com/errata/RHSA-2025:21370
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:21371
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:22088
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Simon Levermann (CTS EVENTIM Solutions GmbH) for reporting this issue.
JSON
.